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Abstract 

In this report we present a formal model of fair iteration of events in a B event system. The 
model is used to justify proof obligations for basic liveness properties and preservation under 
refinement of general liveness properties. The model of fair iteration of events uses the dovetail 
operator, an operator proposed in |I] to model fair choice. The proofs are mainly founded in 
fixpoint calculations of fair iteration of events and weakest precondition calculus. 

Keywords 

Liveness properties, Event systems, B method, Unity logic, Refinement, Fairness, Weak Fair- 
ness. 

Resume 

Dans ce rapport nous presentons un modele formel d'iteration equitable d'evenements dans 
un systeme B evenementiel. Le modele est utilise pour justifier des obligations de preuve des 
proprietes de vivacite de base et de la preservation dans les raffinements des proprietes de 
vivacite generates. Le modele d'iteration equitable d'evenements utilise Poperateur dovetail, 
un operateur propose dans @] pour modeliser une selection equitable. Les preuves sont fondees 
principalement sur des calculs de point fixe de Piteration equitable d'evenements et le calcul 
des plus faibles preconditions. 

Mots-cles 

Proprietes de vivacite, systeme d'evenements, methode B, logique Unity, rafinement, equite, 
equite faible. 
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1 Introduction 



In jS] we proposed the specification and proof of liveness properties under a weak fairness 
assumption in B events systems [2]. The syntax and semantic of liveness properties that we 
adopted are similar to the ones used in unity 

Liveness properties are divided in two classes: basic liveness properties and general liveness 
properties. Basic properties are specified by the ensures relation ^> w . General liveness prop- 
erties are specified by the leads to relation ^> w and ~> are relations between predicates 
on the system state. 

We proposed two proof obligations for basic liveness properties founded on weakest pre- 
condition calculus. The proof of general liveness properties is made by applying inference 
rules of the UNITY logic. 

Following the B method, an abstract model can be refined in a more concrete one. To 
preserve through refinement liveness properties specified in abstract models, we proposed two 
other proof obligations. One proof obligation is discharged by applying weakest precondition 
calculus, an the other one need to identify basic liveness properties in the refinement and to 
apply the unity logic. 

The goal of this report is to justify the proof obligations concerning proofs of basic liveness 
properties and preservation of general liveness properties under refinement, by a reasoning on 
the set theoretic formulation of event systems. Our approach was inspired by j2j, where proof 
obligations concerning modalities are justified by fixpoints of iteration of events, instead of a 
reasoning over the set of traces in a system, as it is done in [2]. However, our approach uses a 
model including a fair choice operator, which allows us to model our weak fairness assumption 
over the iteration of events. 

This report is structured as follows. In section [21 we present the main definitions used in 
this work. In particular we define the liberal set transformer for events in a B system and 
we present the dovetail operator which is used to model our fairness assumption. In section 
13 we introduce the proof obligations for basic liveness properties and we prove that they are 
sufficient conditions to guarantee that fair iteration of events in the system, terminates in 
a state satisfying the postcondition established by the basic liveness property. In section 0] 
we present how to specify and prove general liveness properties. Moreover, we give two proof 
obligations to guarantee preservation of general liveness properties under refinement, and 
we demonstrate they are sufficient conditions to ensure that fair iteration of refined events 
terminates into a state satisfying the predicate established by the general liveness property. 
In section we give the conclusions of this report and some comments about the future work. 

2 The dovetail operator 

In [3] the dovetail operator, a fair nondeterministic choice operator, is introduced. In this 
section we give the definition of this operator by its weakest liberal transformer. In the first 
part of this section we define the weakest liberal set transformer of events in a B event system. 
In the second part we give the formal definition of the dovetail operator by definition of its 
weakest liberal set transformer and its termination set. 

2.1 The Liberal Set Transformer 

In pQ, each generalized substitution S has associated a set transformer str(5) of type F(u) — » 
P(-u), where u is the state space of a machine or refinement. For any r in IP(u), str(5)(r) 
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denotes the largest subset of states where the execution of S must begin in order for the 
substitution S to terminate in a state belonging to r. In the events of a B system are 
formalized by conjunctive set transformers, but instead of identifying the set transformer 
associated with an event F by str(i ? ), it is denoted by its name F. In this way F{r) denotes 
the set str (F)(r), where F is an event of a B system and r a subset of the state space u. In 
what follows, we use this notation. 

In order to deal with the notion of the weakest liberal precondition of an event F we define 
the liberal set transformer of an event F as C{F). 

Definition 1. The Liberal Set Transformer 

C(F) = Ar • (r G P(tt) | {x \ x G u A wlp(F, x G r)}) 

The set C(F)(r) denotes the largest subset of states where the execution of event F must 
begin in order for F to terminate in a state belonging to r or loop. The liberal set transformer 
of the events in a B system are defined as follows: 



C{skip){r) = r 

C(F^G)(r)=C(F)(r)nC(G)(r) 

C(p | F)(r) = (p U {x | x G u A u C r}) n C(F)(r) 



C{F ; G){r) = C{F)(C{G){r)) 
C(p =>. F){r) =pUC{F)(r) 



where r and p are subsets of u and p is u — p. We note, that set {x \ x G u A u C r} in the 
liberal set transformer of the preconditioned event may have only two values: for r ^ u 
or n for r = u. In the guarded command p ==> F and the preconditioned event p \ F, we 
follow the notation introduced in 2 where the guard or the precondition of the commands is 
a set instead of a predicate. Definitions of liberal set transformers presented here are the set 
counterpart of definitions in [7j. 

We remark that definitions of liberal set transformer of any set transformer S, made up 
of set transformers F or G, such that C(F)(u) = u and C{G){u) = u, and operators [], |, 
and ;, respect C(S)(u) = u [S]. 

The set transformers F(r) and C(F)(r) for event F and postcondition r are related by 
the pairing condition: 

F(r) = £(F)(r)npre(F) (1) 

where pre(-F), the termination set of F is equal to F(u). From the pairing condition we 
conclude the implication: 

F(u) = u F(r) = C{F)(r) for any r in P(u) (2) 

which indicates that the set transformer F and C{F) are the same provided the event F 
always terminates. When F(r) or C(F)(r) are recursively defined: 

F(r) = F(F(r)) or C{F)(r) = Q(C(F){r)) 

for monotonic functions J- and £/, according to [H] we take F{r) as the strongest solution of 
the equation X = F(X) and C(F){r) as the weakest solution of the equation X = G{X). As 
these solutions are fixpoints, we take F(r) as the least fixpoint of T (fix(jF)) and C(F)(r) as 
the greatest fixpoint of Q (FIX(£?)). 
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2.2 Definition of Dovetail Operator 



The dovetail operator is used to model the notion of fair scheduling of two activities. Let A 
and B be these activities, then the operational meaning of the construct A V B denotes the 
execution of commands A and B fairly in parallel, on separate copies of the state, accepting 
as an outcome any proper, nonlooping, outcome of either A or B. The fair execution of A 
and B means that neither computation is permanently neglected if favor of the other. 

A motivating example of the use of the dovetail operator is given in [I]. In that example 
the recursive definition: X = (n := V (X ; n := n + 1)) which has as solution "set n to any 
natural number", is contrasted with the recursion Y = (n := [] (Y ; n := n+ 1)) which has 
as solution "set n to any natural number or loop" . The possibility of loop in X is excluded 
with the dovetail operator because the fair choice of statement n := will certainly occur. In 
Y the execution of that statement is not ensured. 

The semantic definition for dovetail operator in [I] is given by definition of its weakest 
liberal precondition predicate transformer (wlp) and its termination predicate hit. We give an 
equivalent definition using the weakest liberal set transformer C and its termination set pre: 

Definition 2. The Dovetail Operator 



The two definitions of the termination set pre(F V G) are equivalents; it can be proved by 
distribution of union over intersection. In another hand we remember that grd(-F) = F(0). 

The set transformer (F V G)(r), for any r in P(u) associated with the dovetail operator 
is obtained from the pairing condition Q: 



We note that as far as the liberal set transformed is concerned, the dovetail operator is 
equal to the choice operator. It differs by having a more liberal pairing condition: to ensures 
that F V G halts, it suffices to forbid F and G from both looping and to forbid either from 
looping in a state where the other fails. 

As in we can prove: grd(F V G) = grd(F) V grd(G), but we give a shorter proof than 
pi] in terms of sets. We prove: 



C(F V G)(r) = £{F)(r) n C{G){r) 



pre(F VG) = (F(u) U G{u)) n ( F(0) U G{u)) n ( G{0) U F(u)) 
pre(F V G) = (F(u) n G(u)) U (FJ0) n F(u)) U (Gjzs) n G(u)) 



(F V G)(r) = C(F V G)(r) n pre(F V G) 



(3) 



(F V G)(0) = F(0)UG{0) 



(4) 
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Proof 



F(0)UG(0) 



F(0)nG(0) 

= { Pairing Condition } 

£(F)(0) n C(G)(0) n F(u) n G(u) 

{ F(0) DF(0) = } 

£(F)(0) n £(G)(0) n (F(u) n G(u) U F{0) n F(0)) 

{ £(F)(0) n F(0) = C(F)(0) n F(«) See note below } 

C{F){0) n £(G)(0) n (F(n) n G(u) u n F(0)) 

= { Similar to two last steps } 

£(F)(0) n£(G)(0) n (F(u)DG(u)UF(u) DF\0)uG(u)nG{0)) 

= { Definition of (F V G)(0) © and © } 

(F V G)(0) 

\3Note In 0] this step requires the proof of wlp.F. false => grd.F = -ihlt.F. We 
denote this implication as a set expression: C(F)(0) nF(0) = £(F)(0) f)F(u). However the 
proof of this expression is easily given by the pairing condition. We finally note that the sets 
F(0) and F(u) are not equals as we can think from the given equality; only the intersection 
of these sets with C (F)(0) is equal. 

The dovetail operator is in general non monotonic for the approximation order in com- 
mands as defined in 0]. Therefore the existence of least fixed points of recursive equations 
cannot be proved generally. However, the existence of least fixed points in a restricted class of 
recursive definitions containing the dovetail operator, is proved in j^. In this report we only 
use the dovetail operator to model fair iteration of events. We do not propose the use of this 
operator to model or refine B event systems. The set transformer modeling fair iteration of 
events with the dovetail operator is monotonic in the set inclusion order. 

3 Basic Liveness Properties 

Let S be a B event system with state variable x and invariant /, made up of a family of events 
indexed by a certain index set L: 

s = QigL *i 

where Q iei Fj denotes the choice of events Fj over a set L. Since we cannot ensure the execution 
of continuously enabled events with an infinite set of events in a system, as required by the 
weak fairness assumption, the set of labels L must be finite. Let P and Q be two predicates 
on the state of S. A basic liveness property, specified by the relation ensures (2> M ) as: 

G-P^> W Q 

(pronounce "by event G, P ensures Q"), where G = \ ieK Fj and K is a non empty subset of 
L, indicates that by the execution of event G in a state where the state variable x satisfies P, 
the system goes to another state where the state variable satisfies Q, under a weak fairness 
assumption. 

The sufficient conditions to guarantee that system S satisfies the property G • P ^> w Q 

are: 
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ANTECEDENT 


CONSEQUENT 


WFO 
WF1 


/ A P A => [S] P V Q 

I A P A ->Q =4> grd(G) A [G] Q 


G • P > tt Q 



If we consider the choice of events which does not establish postcondition Q, we can restate 
the proof obligations as follows: 





ANTECEDENT 


CONSEQUENT 


WFO' 
WF1' 


/ A P A => [F] P V Q 

I A P A ->Q =>■ grd(G) A [G] Q 


G • P > w Q 



where F = ^ i&L _ K Fj. As we have 5 = F | G, we can prove the equivalence between the 
antecedents of WFO and WF1 with WFO' and WF1'. 

In the following section we proof that WFO and WF1 are indeed sufficient conditions to 
guarantee that by the execution of event G in a state satisfying P, the system goes to another 
state satisfying Q, under a weak fairness assumption. However, as we prove our rules in a set 
theoretical framework, we give an equivalent definition of proof obligations WFO and WF1 
in term of set transformers. In this way, each event F{ in B system S, is considered as a set 
transformer of type ¥(u) — * P(u), where u = {z \ 1} is the set of states satisfying invariant /. 
According to pQ, the set transformer str(i ? j) is defined as follows: 

str(F) = Ar • (r G F(u) \ {z \ z £ u A [Fi] z G r}) 

Following the notation introduced in |2j, we use names of events to denote set transformers. 
In this way F«(r) denotes the largest subset of u, where the execution of event F{ must start 
in order to terminate in a state belonging to r. Now, considering the sets: 

p = {z | z £ u A P} 
q = {z\z£uAQ} 

the inclusions 

pDq<Z S(pUq) (5) 
pHqC grd(G)n G{q) (6) 

are equivalent to WFO and WF1 respectively. To prove the equivalences we assume that 
I => [S] I holds. Then we have: 
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Proof 

WFO 

=4> { Def. of WFO and assumption } 

Vx • (/ A P A => [5] (P V Q)) A Vx • (I =► [5] /) 
=>■ { 5 is conjunctive } 

Vx • (/ A P A => [5] ((P V Q) A /)) 
= { def. p, g and set. trans. } 

Vx-(xGpng=^xG S(p U q)) 

pflgC S(p U q) 

Vx • (/ A P A -iQ => [5] ((P V Q) A /)) 
=>■ { weakening } 

WF1 

=> { Def. of WF1 and assumption } 

Vx • (/ A P A => <?nf (G) A [G] Q) A Vx • (/ [5] /) 

{ G is conjunctive } 
{ def. p, g } 
{ Def. set. trans. } 



Vx • (/ A P A => <?rd(G) A [G] (Q A /)) 
Vx • (x G p n q => -.([G] /a/se) A [G] x G g) 



{ Weakening } 



□ 



Vx-(xGpng=>xG G(0) A x G G(g)) 
pngCgrd(G)nG(g) 
WF1 

3.1 Termination of Fair Iteration 

The general strategy in the proof of a basic liveness properties P ^> w Q is to divide the 
events of S into two groups: one for the events that establish Q and another one for the 
events that maintain P or establish Q. The first group is characterized by event G, and the 
second one by an event F, where F = \ i&L _ K Pj. Events F and G are modeled by conjunctive 
set transformers of type ¥(u) — > P(u), and the B event system S can be seen as: 

S = F Q G (7) 

As we know, most of the time, an abstract system like S does not terminate. For this 
reason we cannot speak about the establishment of a certain postcondition Q when S termi- 
nates. In this situation is managed by translating the problem of reachability of a certain 
postcondition Q in a system S to the problem of termination of the iteration (->Q ==>■ S)^ . 
We follow a similar approach, but we consider a fair iteration with the help of the dovetail 
operator. 
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Let q be a subset of u and X(q) be the following iteration: 



I(9)=?^((F;I( ? ))VG) (8) 

Since all events in S always terminate, we conclude that F and G always terminate. Therefore 
we expect that X{q) eventually terminates when it is executed in any state of G{25) <~)q. This 
expectation is ensured with the semantic of the dovetail operator, which guarantees that G 
will be eventually executed. On the other hand, if X{q) starts its execution in any state of q, 
the guard of X(q) is not enabled and the state of the system is not changed. This is formally 
stated in the following lemma: 

Lemma 1. (Termination) 

Let X(q) be a fair iteration, X(q) = q ==> (F ; X) V G, where F and G are conjunctive 
set transformers of type ¥(u) —* P(u), pre(F) = u and pre{G) = u. Then the inclusion 
grd(G) UgC pre(X(q)) holds. 

Proof 



G{0) U q 



G{0)nG(u)U, 



c 



Z{u) UG(0) nG(u) u. 



z{u) u (z(u) n z(0)) u (G(0) n G{u)) u , 

pre((F;X(q))vG)Uq 
{(F ; X(q)) V G)(u) U q 
(q^((F;X(q))vG))(u) 
pre(X(q)) 



{ G(u) = u } 

{ Z = {F;X{q)) } 

{ absorption } 

{ def. dovetail ©, Z and G(u) = u } 

{ def. termination set } 

{ def. set transformer } 

{ def. termination set and (jSJ) } 



□ 



3.2 Total Correctness of Fair Iteration 



From lemma ^ we assert that the fair iteration X(q) always terminates when it is executed in 
a state where grd{G) holds. Informally, this fact results from the operational meaning of the 
dovetail operator. As it was indicated in section the two operands in the dovetail operator, 
F ; X(q) and G, are executed fairly in parallel on separate copies of the state, accepting as an 
outcome any proper, nonlooping outcome of either operand. If F does not preserve grd(G), 
the sequence F ; X{q) may loop forever depending on the guard of F; however in this case 
the semantic of the dovetail operator guarantees that X(q) terminate because G do so when 
it is executed in a state of grd(G) . This behavior is not exactly the same as in the B event 
system S because of the guards: event G cannot be executed in a state where ~^grd(G) holds. 



7 



In order to improve our model of fair iteration among events, we add the constraint that 
F must preserve the guard of G . In this way, the behaviors of S under the weak fairness 
assumption and X(q) are similar. Furthermore, if G is able to establish q when it starts its 
execution in a state in p n q, for a certain subset p of u, if p n q is a subset of grd(G) and F 
preserves p or establishes q when it is executed in any state of p Pi q, then we can assert that 
X(q) terminates in a state of q when it is executed in any state of p D q. This reasoning is 
formalized in the following lemma: 

Lemma 2. (Total Correctness) 

Under assumptions of lemma^l and for any p and q in P(u), such that p n q C F(p U g) ; 
P l~l (7 C grd(G), and pflgC G(g) t/ien pU?C X(q)(q) holds. 

Proof 

According to the pairing condition (j2J), the goal of lemma [21 becomes: 



P UqQC(X(q))(q) 
P UqCp r e(X(q)) 

In order to prove subgoal Q, we note the following equality for any r in P(u): 

C(X(q))(r)=F(q)(r)(£(X(q))(r)) 
where J-(q)(r), for any subset q and r of u, is the set transformer: 

Hq)(r)=q^(G(r)\F) 
Equality is proved as follows: 



(9) 
(10) 



(11) 



(12) 



£(X(q))(r) 

£(?=>((F;X( g ))vG))(r) 

}U£((FiZ(?))vG)(r) 

gU£(F;I(g))(r)n£(G)(r) 

^U£(F ; X(g))(r)nG(r) 

9 U£(F)(/;(I(?))(r))nG(r) 

gUF(/:(X( g ))(r))nG(r) 

?U(G(r) | F)(£(X(g))(r)) 

(g^(G(r)|F))(£(X(g))(r)) 

^)(r)(£(X(g))(r)) 



{ © } 

{ def. Liberal of guard } 

{ def. of dovetail 13 } 

{ G(u) = u and property © } 

{ def. Liberal of sequencing } 

{ F(u) = u and property © } 

{ def. preconditioned set transformer } 

{ def. guarded set transformer } 

{ def. of T{q){r) (JUJ) } 
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We note that F{q){r) is a monotonic set transformer, that is for any subset s and t of u, 
such that sCfwe have: 



s C t 

> 

F(s) C 

G(r)nf(s) C G(r) HF(t) 

g U (G(r) n F(s)) CgU (G(r) n F(t)) 

(g^(G(r)|F))( S )C(g^(G(r)|F))(t) 

^(?)(r)(*) C ^(g)(r)(t) 



{ monotonic F } 



{ def. set transformer } 

{ m } 



Therefore, as indicated in section 12.11 a recursive definition of a liberal set transformer 
C(X(q))(r) = J r (q)(r)(C(X(q))(r)), with monotonic T(q)(r), allow us to state: 



C(X{q))(r) = FIX(^(g)(r)) 

Furthermore, we note 

FIX(J%)(r)) = U<2* 

where = {x \ x G P(u) A x C JT(g)( r )(x)}. 
Finally, the proof of subgoal|§]is as follows: 

1. j?n?C G(g) n F(p Ug)Ug 

2. P ngC(g^(G(g) |F))(pUg) 

3. pflgC G(<?) n F(p Uq)Uq 

4. pQ(q^(G(q)\F))(pUq) 

5. qQ qUG(q) DF(pUq) 

6. qC(q^(G(q) \ F))(pUq) 

7. pUqe(q^(G(q) \F))(pUq) 

8. pUqeF(q){q)(pUq) 

9. p U q € $% 
10.pUqC|J^ 
H.pUgCFIX(^)(g)) 
12. P UqQC(X(q))(q) 

The proof of subgoal which terminates the proof of lemma |21 is: 



1. pn?C G'(0) 

2. pf]q<^q 

3. pQ G'(0)Uq 

4. pQ p r e(X (q)) 

5. ?C G'(0)Uq 

6. q C pre(X(g)) 

7. pUgC pre(X(g)) 



(13) 



(14) 



From Hyp. 

I and set trans. 
Trivial 

3 and 2 
trivial 

5 and set trans. 

6 and 4 

7 and fl2J 

8 and def. <Z>^ 
9 

10 and (EU) 

II and ((THJ 



Hyp. 
trivial 

2 and 1 

3 and lemma ^ 
trivial 

5 and lemma ^ 

6 and 3 



□ 
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As we can see, the hypothesis in lemma (j2J): p D q C (F [| G)(pUg), pflg C C(0) and 
pflgC are the corresponding proof obligations © and (jHJ) for a basic liveness property 
G • P ^> w Q of system S. These inclusions, the implicit assumption that all events in S 
always terminate and the fairness assumption, are the guarantee that iteration of events in 
S, starting at any state in P A —>Q will certainly terminate in a state into Q, which is the 
intended meaning of the basic liveness property. 

3.3 Guard of the Fair Loop 

As we know, for any monotonic set transformer S, the complement of the guard of S, S(0), 
denotes the set of states where the execution of S is impossible. In the other hand, S becomes 
a miraculous statement when its execution "starts" in any state of S(0), and it is able to 
establishes any postcondition q, because S is monotonic and then S{0) C S(q) holds for any 
subset q of dom(S'). 

Before we calculate the guard of the fair loop, we prove the following lemma indicating 
that X{q) is a monotonic set transformer: 

Lemma 3. (Monotony of the Fair Loop) 

For any subset s and t of u, such that s C t we have X{q){s) C X{q){t) 

Proof 

s C t 



{ Monotony of G } 
{ Fact of sets for any y G P(u) } 
{ def. T(q){s) and T{q){t) } 



G(s) C G(t) 

qU(G(s)nF(y))C q u(G(t)nF(y)) 
F(q)(s)(y)QF(q)(t)(y) 

{ Fact of sets for any y € P(n) } 

{y | y C u A y C F{q){s){y) }C{y|yCuAyC F{q)(t){y) } 
=> { from ((TU) } 

F\X(F(q)(s)) C FIX(^(?)(t)) 
= { from (O } 

C(X(q))( S )CC(X(q))(t) 

C(X(q))( S ) n pre(X(q)) C C(X(q))(t) D pre(X(g)) 
= { Pairing condition Q } 

^(!)W^(«)(i) □ 
Now we state the following lemma: 

Lemma 4. (Guard of Fair Loop) 

The guard of X(q) is the complement of the least fixpoint of J-{q){0) (X(q)(0) = fix{J : {q){0)))) 
In order to prove lemma 0J we prove 
X(q)(0)=t\x(F(q)(0)) 
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as follows: 
Proof 

X(q)(0) 



gU((F;I(«))vG)(0) 

qU((F;X(q))(0)nG(0)) 

(q^(G(0)\F))(X(q)(0)) 

F(q)(0)(X(q)(0)) 

fix(^(g)(0)) 



{ BeLX(q) } 

{ From (jlj) } 

{ Set Transformers } 

{ Def. F(q){0) (EJ } 

{ JF(g)(0) is a monotonic function } 



□ 

As the complement of the guard of X{q) is the least fixpoint of J-(q)(0), we know that 
fix(jF(g)(0)) contains all finite chains terminating out of the guard of J-(q)(0), that is, in the 
set q U {G{0) n F(0)). Formally, this fact is stated as follows: 

Vi • (i G N J"(g)(0) l (^(g)(0)(0)) C fix(JF(g)(0)) (15) 

Proof 

Let r be any set in {z \ z C u, A J r (g)(0)(z) C z}. We prove by induction: 

^■(ieN^ J(g)(0) !+1 (0)Cr) (16) 

Base Case: 

^(g)(0) o+1 (0) 



C 



^(<?)(0)(0) 
Hq){0){r) 



c 



Inductive Step: 



{ Monotony of T{q){0) } 
{ Hyp. f(?)(0)(r)Cr } 



Ind. Hyp. 

1, Mon. of J 7 (q)(0) 
2 and Hyp. 



1. F{q)(0) i+1 {0) C r 

2. ^)(0)(^(g)(0) i + 1 (0)) C ^(?)(0)(r) 

3. J^(g)(0) i+2 (0) C r 

Now, (|15|) follows from ()16l) . considering that fix(J r (g)(0)) is the generalized intersection of 
all subsets in {z \ z C u A JT(g)(0)(z) C z}. □ 
From monotony of X(g) (lemma [U, the guard of X{q) (lemma 0} and (j!5|) . it follows, for 
any r G P(u): 

Vi • (t G N F{q){0) i+1 {0) C X(g)(r)) 

This last inclusion indicates that the set of states that guarantees termination of X(q) in 
any state of r, contains all states where any iteration of (q ==> G{0) \ F) terminates in 
q U (G(0) n F(0)). Moreover, if X(q) starts execution in any state of J-{q){0) l+l {0) for any 
i G N, X(q) becomes a miraculous statement, able to establish any postcondition. 
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4 General Liveness Properties 

In B event system S, with state variable x and invariant X, general liveness properties are 
specified by formulae P ~> Q, where P and Q are predicates on the system state. This property 
specifies that the system eventually reaches a state satisfying Q whenever it reaches any state 
in P. There are three basic differences between a ~> relation and a ^$> w relation. The first 
difference is the number of steps involved in the transition from P to Q. With ^$> w , the helpful 
transition is done by the execution of an atomic event, while with the number of atomic 
transitions is not specified. The second difference is that we can assert with G ■ P ^> w Q 
that the system maintains P while Q is not established. We do not have this guarantee when 
we specify P ~* Q. Finally the third difference is that a general liveness property does not 
directly depend on any fairness assumption while a basic liveness property do. 

A property P ~> Q holds in a B event system if it is derived by a finite number of 
applications of the rules defined by the UNITY theory: 





ANTECEDENT 


CONSEQUENT 


BRL 
TRA 
DSJ 


G ■ P > 1U Q 

P~~> R, R~~>Q 

Mm • (m G M P{m) ^ Q) 


P^Q 
P^Q 

3m ■ (m G M A P(m)) ~> Q 



So as to reason about liveness properties, we incorporate the proof system in unity in the 
framework of B event systems. We can use all theorems in jSj concerning ensures and leads 
to relations in the rules of proof of several properties of B event systems. 

4.1 Refining Liveness Properties 

If abstract system S is refined into another one T we need to assert that any abstract property 
V is preserved in T. As property V depends on basic properties Q, we only need to demonstrate 
that each basic property Q is preserved in T. We can establish the validity of each property Q 
in the refinement T by the proof of WFO and WF1 proof obligations. However, if we do these 
proofs, we would repeat the proofs done in the abstraction S because WFO is completely 
preserved by refinement and WF1 is partially preserved. So as to reduce the number and 
complexity of proofs, we propose two new proof obligations that the refinement T must 
satisfy in order to preserve a basic liveness property. We present these proof obligations for a 
certain basic liveness property Q. 

Let Q be the property G ■ P ^> w Q which holds in abstract system S. From WFO' and 
WF1' in section |HJ we know that S can be considered as an event system F [] G, where 
F =h&L-K F i' such that P A ->Q =^ [F](P V Q) and P A => [G] Q holds under 
the assumption of I. If S is refined to T, the refinement is considered as an event system 
F' [] G' \ H, where F' and G' are the refinements of F and G respectively and H are new 
events that refine skip We consider that the abstract state is refined by a concrete one, 
and these states are related by the gluing invariant J. Under the assumptions I A J, and 
according to the very definition of refinement, we conclude that P A —>Q =>■ [F' [] H] (P V Q) 
and P A —>Q => \G'] Q hold in T. However we cannot assert that P A —>Q grd{G') holds 
under the same assumptions, because the refined event G' has a guard stronger than grd(G). 
Then, in order to guarantee the preservation of Q we need to prove that T reaches a state in 
the guard of G' when it is in a state out of the guard (rule LIP: Liveness Preservation), and 
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that the guard of G' is preserved by F' and H (rule SAP: Safety Preservation). Formally the 
proof obligations in T are: 



LIP 


I A J A P A -iQ A -^grd(G') - 




SAP 


I A J A P A -iQ A ^ni(G') 





We conclude this section by a summary of our approach to the specification and refinement 
of a general liveness property V . Property V is proved in the abstract system S by identifying 
basic liveness properties Q, such that V is derived from Q by application of rules given in 
section |IJ Each property Q is then proved by WFO and WF1 proof obligations. When system 
S is refined to system T, each property Q in S generates new proof obligations V[ and V' 2 in 
T as stated by LIP and SAP rules. In turn, in order to prove each general liveness property 
V[, we need to identify other basic liveness properties Q! . We continue this process at each 
step of refinement. We observe that properties Q and Q' specify an atomic transition at each 
step of refinement. However, the transition at step i+1 of a refinement is "shorter" than the 
transition at step i. That is, at level i a certain basic property Q specifies an atomic transition 
from a state in P to another one in Q. At level i + 1 we do not need to prove the (concrete) 
transition from P to Q, we are only concerned with the transition specified in Q' which is 
necessary in the proof of the transition from a state in r~ l [p H q] (1 grd(G') to another one in 
grd(G'), where G' is the refinement of the helpful event related to Q. In this way, our method 
of specification and proof of liveness properties becomes a guide that serves to specify and 
prove the dynamic behavior of a system at each level of refinement. 

In the next subsection we give a justification of proof obligations LIP and SAP, as sufficient 
conditions to ensures the preservation of liveness properties under refinement. 



4.2 Proving Refinement of Basic Liveness Properties under Weak Fairness 

When abstract system S ( |7| ) is refined, the abstract events F and G are refined by concrete 
events F' and G' respectively and new events H appear. In this way, the abstract system S 
is refined by the system S': 

S' = F' | G' D H (17) 

Let y be the concrete state variable of S' and v the concrete state space, where v = {y \3x ■ 
(I(x) A J(x, y))}, I is the abstract invariant of S and J the gluing invariant of T. The events 
F', G' and H are modeled by conjunctive set transformers of type ¥{v) — ► F(v). The abstract 
and concrete events are related by the refinement relation: F C F' and G Q G' and new 
events refine skip: skip C H. These relations among events are defined by the following proof 
obligations [l]: 



F(r[s)) C r[F'(s)} (18) 



G{r[s]) C r[G'(s)] (19) 



skip(r[s]) C r[H(s)] (20) 

where s is universally quantified over F(y) and r is a total relation from v to u defined as 
follows r = {y i— > x \ I(x) A J(x,y)}. 

From conditions stated in lemma |5J we know that abstract system S eventually reaches 
a state in q when its execution arrives at any state of p. In order to preserve this abstract 
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transition, we need to observe a concrete transition from a state in p' to another one in q', 
where pi and q' are the corresponding concrete states r _1 [p] and r -1 [q] respectively. In the 
following paragraphs we analyze sufficient conditions for this concrete transition. 
We consider the fair iteration X'{q') made up of events in S': 



X'{q') =q>^ (((F' I H) ; X'{q')) V G') 



(21) 



This recursion models the iteration of events F' and H in the concrete system. Now we state 
the following lemma: 

Lemma 5. (Partial Correctness) 

Under the assumptions of lemma\^ and refinement conditions 118\) . \19\) and H20\) . the inclu- 
sion p'Ug'C C{X'(q'))(q') holds. 

Proof 

A brief outline of the proof is as follows. From assumptions of lemma F{u) = u, G(u) = u, 
pdq C F(pUq) and pf]q C G(q) and refinement conditions (|18|1. (|T§|) and (|2L)[). the following 
inclusions follow: 



F'(v) = v 
G'(v) = v 
H(v) = v 



(22) r^ipHq] C F'(p Uq') 

(23) r^lpnq] C G'{q') 

(24) r~ l \pf\q] C H(p'\Jq') 



(25) 
(26) 
(27) 



We prove (|22j) and l|25|). The other proofs are done in a similar way. First, we prove the 
following inclusion for any s in P(u): 



r _1 [F(s)] C F'(r- l [s\) 

The proof of this inclusion is based on equivalence r[a] C 6 = 
universally quantified over P(u) and P(«) respectively. The reference to this equivalence in 
the proof is given as "(Equ)". The proof of (|28]> is: 



(28) 

~\b] C a, where a and b are 



1. i^rfr- 1 ^]]) C riF'ir- 1 ^])] 



2. riF'ir- 1 ^])] C i^rfr- 1 ^]]) 

3. r-^r pipjf)] C F'(r _1 [s]) 

4. r _1 [s] C r _1 [s] 

5. rlr -1 Lsll C s 



6. s C r[r 1 [s]] 

7. r -1 [F(s)] C r-lfF^fr-lfs] 

8. r- x [F(s)] C ^'(r- 1 ^]) 

The proof of (|22|) is as follows: 

1. F'(<w) C v 

2. r _1 [F(«)] C F'ir- 1 ^}) 

3. r _1 [u] C F'^M) 

5. F'(u) = v 



From ((TBI) 
1 

2 and Equ 

trivial 

4 and Equ 

5 

6 and monotony 

7 and 3 



F G P(u) -» P(u) 
(|25|l and s = u 
2 and F(u) = u 
r total: r _1 [u] =v 
4 and 1 
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The proof of (|25[) is as follows: 

1. r _1 [p fl q] C r [F(p U g)] ; From Hyp. 

2. r _1 [F(pUg)] C F'(r _1 [p U g]) ; (gBJ and s=pUg 

3. r^flg] C F'(p' U g') ; 2, 1, def. j/ and q' 

With inclusions l|22j ) -(|27j ) we make a calculus similar to the proof of subgoal pUg C £(X(g))(g) 
of lemmaEl That is, we derive the equality C(X' (q'))(q') = F\X(q (G'(g) | (F' | #))) in a 
way similar to calculation of qi3j). Then, using the equality FIX(g ==> (G'(g') \ (F' [] i/))) = 
U where <£' = {x \ x G P(v) AiC(f=> (G'(g') I H )))( x )} we conclude p' U q' G 
from refinement conditions. Finally, from p' L) q' £ <P and the last two equalities we conclude 
the goal of lemma @:p'Ug'C £(X' (<?'))(</)■ 

□ 

The inclusion q' U grd(G") C pre(X'(g')) follows from a calculus similar to the proof of 
lemma H As we know in S, p n q is included in the guard of G. Unfortunately this inclusion 
is not preserved by refinement, because the guard of G' is stronger than the guard of G 
(grd(G') C r _1 [grd(G)]). Therefore the set r~ 1 {pr\q] is not included in the termination set 
of X'(q'). From lemmaEl inclusion grd(G') C pre(X'(g')) and pairing condition, we conclude 
p' n grd(G') C X'{q'){q'). Furthermore, if the guard of G' is preserved by F' and H, we can 
assert that concrete system S' has a transition to a state into q' whenever it arrives at any 
state into p' n grd(G'). This is formally stated in the following lemma: 

Lemma 6. Under the assumptions of lemma\^and refinement conditions Uty) . Mifjl and \2U\) 

as well as the following condition: 

r^bn?] ngrd(G') C (F' I H)(grd(G')) (29) 
the property G' ■ y G p' A grd(G') ^ w y G q' holds in S' . 
Proof 

We apply WFO and WF1 proof obligations in order to prove this lemma. First, we prove the 



following inclusion: 

p'n^Cr" 1 ^?] (30) 
We take y G p' fl q' as premise and we prove y G r~ l \p n q]: 

1. y G p' fl q' ; premise 

2. y G p' A -,(y G ?') ; 1 

3. y G r [p] A -i(y G r _1 [g]) ; 2 and def p' and g' 

4. 3x • (x G p A x i— ► y G r _1 ) A -i(3x -(xGgAxi-^yG r -1 )) ; 3 

5. 3x • (x G p A x i— ► y G r _1 ) A Vx • (x i— > y G r _1 =>■ x (?) ; 4 

6. Elx^xGpAxG'gAxi-^yG r _1 ) ; 5 

7. y G r _1 [p rig] ; 6 

Proof of WFO: y G p' A grd(G') A y g' => [F' [] fl] (y G p' A grd(G') V y G g'): 

1. r^ng] C F'(p'U g') ; 

2. r -1 [png] CiJ(p'Ug') : (|27jl 

3. r-![p rig] ngrd(G') C (F' [] tf)(grd(G')) ; © 

4. r-'jpn?] ngrd(G') C (F' j iT)(p' n grd(G') U g') ; 3, 2 and 1 

5. p' n g 7 C r~ x [png] ; (j3UJ) 

6. p'ngrd(G') n?C (F' | #)(p'ngrd(G') U q') ; 5 and 4 

7. y G p'Agrd(G')Ay q' =>• [F' | iJ] (y G p' A grd(G ! )\J y G g') ; 6, set trans. 
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Proof of WF1: y G p' A grd(G') A y G" q' => grd{G') A [G'\ y G g': 



1. r- l \p_C\q] C G"(g') 

2. p' Pi g 7 C r~ x [png] 

3. /n7c G'(q') 

4. p' ngrd(G')n7c g rd(G / )n G'(g') 

5. y G p' A grd(G') Ay q' =$> grd(G') A [G] y G g' 



Pljl 

2 and 1 

3 

4 



□ 

In fact, a calculus of the termination set of X'(q'), using the definition of dovetail operator 
©, allows us to conclude pre(X'(g')) = fixCg 7 n grd(G') =^> (F ' | #)). According to [T], 
pre(X'(g')) is the same set as the termination set of (q' n grd(G') => (F' | H))~ . From the 
equality between the two sets, we conclude that the iteration of F' and H will stop when 5" 
arrives into a state in grd(G') U q' . This reasoning allow us to propose the following lemma: 

Lemma 7. Under the assumptions of lemma\^ and the condition: 

y er^lpDq] A^grd{G')^ grd(G') (31) 

the property y G p' y G q' holds in S' 

Proof 

The proof of lemma (J7| requires the proof of the following property: 

y G p' n g 7 A ^grd(G') unless y G p n g 7 A grd(G') V y G g' (32) 

Let //is be the left hand side of the unless property and rhs its right hand side. The unless 
property follows from Ihs A ^rhs [S'] (Ihs V rhs). In this case, the property follows from 
the following implication: 

y G p' n g 7 A ~^grd( G') [S'\ (y G p' n g 7 V y G g') 



1. r^ng] C (F' | H)(p'Uq') 

2. r -1 [pn?] C (F' j iT)(p' n?U g') 

3. p' n g 7 C r _1 [p ng] 

4. j)'n?C (F' I F)(p'n7ug') 

5. p'n7ngrd(G') c G'(p'n7u?') 

6. p'n7ngrd(G') c S'(p'n7u?') 

7. y G p' n g 7 A ->grd(G') => [S 1 ] (y G p' n g 7 V y G g') 
The proof uses the PSP theorem: 

V ^ Q , Sunless 5 
•PAft-^QATevS 

and the cancellation (CAN) theorem: 

QV R,R~~> R' 
P<^Q\J R> 



(USD and (J23) 

1 and absorption 

3 and 2 
def. yrd(G') 
5 and 4 
6 



16 



1. 


y G r~ 


- l \pnq] A ^grd(G')^ grd(G') 




(ED 


2. 


p'Hq 


C r _1 [p n q] 






3. 


p'Hq 


ngrd(G") C r- l [pr\q\ ngrd(G') 




2 


4. 


yep' 


n g 7 A ^grd(G') =>j/£ r^pHg] A 


-(W(G")) 


3 


5. 


yep' 


fl7 A ^grd(G') ~> y G r^pflg] A 


^(grd(G')) 


4 


6. 


yep' 


fig 7 A -igrd(G) ~» grd(G') 




TRA 5, 1 


7. 


yep' 


fig 7 A ^grd(G')~~>y e p' D f\grd( 


G')Vyeq' 


6, PSP and (|32|) 


8. 


yep' 


no 7 A ->grd(G'\ ~» y € p' A grd(G r 


V y G g' 


7 


9. 


yep' 


A grd(G') ~> y G g' 




lemma and BRL 


10. 


yep' 


n g 7 A ^grd(G') ~» y G g 




CAN 9 and 8 


11. 


yep' 


n g 7 A grd(G') =>- y G p A grd(G') 




trivial 


12. 


yep' 


n g 7 A grd(G') ~* y G g' 




11, BRL 9, TRA 


13. 


yep' 


H g' ~> y G g' 




DSJ 12 and 10 


14. 


yep' 


n g' => y G g' 




trivial 


15. 


yep' 


~* y € g' 




14,BRL, DSJ 13 



□ 

Our last step in our proofs is to demonstrate that premises (|29fl and Q31|) of theorems El 
and are equivalent to SAP and LIP proof obligations. 

As we can see, the premises (|29|) and (|31|l of theorems El and are the set theoretical 
counterpart of SAP and LIP proof obligations which are needed to guarantee the preservation 
of basic liveness properties in a refinement. 

In order to prove the equivalence between (|29[) and SAP rule, we demonstrate the following 
equivalences: 

y G r -1 [p n g] = 3x • (P(x) A ->Q(x) A I(x) A J(y,x)) (33) 
y G grd(G") = y e v A grd{G') (34) 
y G (F' | i?)(G 7 (0)) = j/ £ « A [f ' [ fl] grd(G') (35) 

Proof of (USD 

y G r _1 [p n g] 

3x-(xGpngAyi— > x G r) 
3x • (P(x) A -iQ(x) AiGuAi/wiGr) 
3x • (P(x) A ->Q(x) A I(x) A J(y,x)) 

□ 



{ def. p and g } 
{ def. u and r } 
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Proof of dSD 

yGgrd(G') 



V € G'(0) 



y £ {z\z £ v A [G']z £ 0} 
y £ {z\z £ v A ->[G'} z £ } 
y £ {z\z <Ev A ->[G'] false} 
y £ {z\z £ v A grd(G') } 
y £ v A grd(G') 



Proof of flHU) 



y £ (F' | H){G'{0)) 



{ def. grd(G') } 

{ def. G'(0) } 

{ set theory } 

{ set theory } 

{ set theory } 



□ 



{ def. set transformer } 

{ [F' |] H] z £ v = z £ v } 
{ set theory } 



□ 



y£{z\z£vA[F'\\H]z£ G'(0) } 
y£{z\z£vA[F'\\H}(z£vA grd{G')) } 
y £ {z\z £ v A \F' | H] grd(G')} 
y£vA[F'\\H] grd(G') 

The equivalence between (|29|) and SAP rule is as follows: 
Proof 

r- 1 [png]ngrd(G / ) C (F' | ff)(grd(G')) 

Vy • (y £ r~ l \pn q] ngrd(G') y G (F' | #)(grd(G'))) 

Vy • (y G r^ng] A y G grd(G') y G (F' | Ff)(grd(G'))) 
= { (E3J), (El and (|Sni) } 

Vy(3x-(P(x)A^Q(x)A/(x)AJ(y,x))Ay G vAgrd{G') => y £ v A[F' [] i?] grd(G')) 

Vy • (3a? • (P(x) A -.Q(x) A J(x) A J(y,x)) A y £ v A grd(G') [F' | FT] grd(G')) 
= { 3x ■ (P(x) A I(x) A J(y, x)) => y £ v } 

Vy • (3x ■ (P(x) A ->Q(x) A I(x) A J(y,x)) A grd(G') =5> [F' | FT] grd(G')) 

V(x,y) • (P(x) A -iQ(s) A J(x) A J(y,x) A W(G") => [F' [] FT] grd(G')) 



□ 
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In order to prove the equivalence between Q31|) and LIP proof obligation, we need the 
following theorem about leads to 



(3x ■ (P(x)) A Q) ~> R , x\Q , x\R 



(P(x) A Q) ~» R 



Proof 



1. {3x- (P(x)) AQ)^R 

2. (3y ■ (P(y)) A Q) ^ R 

3. P(x) => 3y ■ (P(y)) 

4. P(x) AQ^(3y (P(y)) A Q) 

5. (P(x) AQ)m (By • (P(y)) A Q) 

6. (P(x) AQ)~^R 



premise 
1 

for any x 
3 

4 and BRL 
TRA 5 and 2 



(36) 



□ 



Now, the equivalence between (j31j) and LIP proof obligation is as follows: 

y € r^lpDq] A ^grd(G') ^ grd(G') 
= { using (j32J) } 

3x ■ (P(x) A ^Q(x) A I(x) A J(y,x)) A ^grd(G') ^ grd(G') 
= { x\grd{G'), (EH) and DSJ } 

P{x) A ->Q(x) A I(x) A J{y,x) A ^grd(G') ~» grd(G') 



□ 



5 Conclusions 

In this report we present a formal model of fair iteration of events in a B event system. 
Moreover we use the model to justify our proof obligations for basic liveness properties and 
preservation under refinement of general liveness properties. The model of fair iteration of 
events uses the dovetail operator, an operator proposed in |4 to model fair choice. Our proofs 
are mainly founded in fixpoint calculations of fair iteration of events and weakest precondition 
calculus. 

Our approach to justify our proof obligations was inspired by [2]. The approach, founded 
in fixpoint calculations and weakest precondition calculus, to justify proof obligations about 
liveness properties is not classical. It is common to justify proof obligations of this kind of 
properties by operational reasoning about state traces in the system and the justifications 
are not so formal as expected. The approach taken in this report allows us to make axiomatic 
proofs and verify it with the prover of atelier B. 

As a future work, we investigate the relationship between general liveness properties and 
the iteration of events under weak fairness or minimal progress assumptions. We are mainly in- 
terested in sufficient conditions to guarantee preservation of liveness properties when a system 
with weak fairness assumptions is refined in a system with minimal progress assumptions. 
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